From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [RFC PATCH] Add an interface for systemd services logging config
Date: Mon, 11 Jan 2016 21:41:12 +0100 [thread overview]
Message-ID: <20160111204111.GA15886@x250> (raw)
In-Reply-To: <1452539261-17628-1-git-send-email-nicolas.iooss@m4x.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, Jan 11, 2016 at 08:07:41PM +0100, Nicolas Iooss wrote:
> Many systemd services use log_parse_environment and log_open systemd
> functions to configure the way they log messages. These functions
> require permissions like reading /proc/cmdline and /proc/1/environ to
> run properly, and then the service which used them needs to be able to
> send messages over /run/systemd/journal/socket Unix socket. When
> connecting to the socket, systemd tries to modify the sending buffer
> with setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...), which fails when
> CAP_NET_ADMIN is not allowed, in which case it falls back to SO_SNDBUF.
> Therfore CAP_NET_ADMIN does not need to be granted to every systemd
> service using logging.
>
> As all these accesses are shared among many systemd services, create an
> interface to allow them all at once.
I suspect that this is not limited to just systemd services.
Another thing i noticed that they (or some of them) also want to
traverse (or get the attributes of /run/systemd/system)
Anyhow. I probably would keep this seperate from
logging_send_syslog_msg()
You might also be able to use a type attribute here
for example in systemd:
dontaudit parse_log_env_domain_type self:capability net_admin;
kernel_read_system_state(parse_log_env_domain_type)
init_read_state(parse_log_env_domain_type)
Then just associate the type attribute with domain types that do the log
env parsing
logging_send_syslog_msg (mydomain_t)
ifdef(`init_systemd',`
systemd_parse_log_env(mydomain_t)
')
or something...
In my personal dssp policy I just allowed all (journald) log clients to just read
systemd state (my common domains can already read generic proc file by
default) unconditionally. I also allowed log clients to traverse
/run/systemd/system.
I basically use a different module for each log daemon instead of
lumping then all together. It is up to the end-user do pick and choose
the modules to use
> ---
>
> This is "RFC PATCH" because it might be better to allow these accesses
> for each service in systemd.te instead.
>
> In case it is relevant, here are the relevant AVC denials for
> systemd-networkd service (which is not handled by refpolicy yet):
>
> type=AVC msg=audit(1452497098.233:181): avc: denied { search } for
> pid=848 comm="systemd-network" name="1" dev="proc" ino=11
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:system_r:init_t tclass=dir permissive=1
> type=AVC msg=audit(1452497098.233:181): avc: denied { read } for
> pid=848 comm="systemd-network" name="environ" dev="proc" ino=12
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:system_r:init_t tclass=file permissive=1
> type=AVC msg=audit(1452497098.233:181): avc: denied { open } for
> pid=848 comm="systemd-network" path="/proc/1/environ" dev="proc"
> ino=12 scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:system_r:init_t tclass=file permissive=1
>
> type=AVC msg=audit(1452497098.233:182): avc: denied { read } for
> pid=848 comm="systemd-network" name="cmdline" dev="proc" ino=4026531991
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:object_r:proc_t tclass=file permissive=1
> type=AVC msg=audit(1452497098.233:182): avc: denied { open } for
> pid=848 comm="systemd-network" path="/proc/cmdline" dev="proc"
> ino=4026531991 scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:object_r:proc_t tclass=file permissive=1
> type=AVC msg=audit(1452497098.233:183): avc: denied { getattr } for
> pid=848 comm="systemd-network" path="/proc/cmdline" dev="proc"
> ino=4026531991 scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:object_r:proc_t tclass=file permissive=1
>
> type=AVC msg=audit(1452497098.233:184): avc: denied { create } for
> pid=848 comm="systemd-network"
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket
> permissive=1
> type=AVC msg=audit(1452497098.233:185): avc: denied { getopt } for
> pid=848 comm="systemd-network"
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket
> permissive=1
> type=AVC msg=audit(1452497098.233:186): avc: denied { setopt } for
> pid=848 comm="systemd-network"
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket
> permissive=1
> type=AVC msg=audit(1452497098.233:186): avc: denied { net_admin } for
> pid=848 comm="systemd-network" capability=12
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:system_r:systemd_networkd_t tclass=capability
> permissive=1
>
> type=AVC msg=audit(1452497098.233:187): avc: denied { connect } for
> pid=848 comm="systemd-network"
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket
> permissive=1
> type=AVC msg=audit(1452497098.233:187): avc: denied { write } for
> pid=848 comm="systemd-network" name="socket" dev="tmpfs" ino=5214
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1
> type=AVC msg=audit(1452497098.233:187): avc: denied { sendto } for
> pid=848 comm="systemd-network" path="/run/systemd/journal/socket"
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket permissive=1
>
> policy/modules/system/systemd.if | 42 ++++++++++++++++++++++++++++++++++++++++
> policy/modules/system/systemd.te | 14 +++++++-------
> 2 files changed, 49 insertions(+), 7 deletions(-)
>
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 3cd667000098..9972f6916597 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -171,3 +171,45 @@ interface(`systemd_start_power_units',`
>
> allow $1 power_unit_t:service start;
> ')
> +
> +########################################
> +## <summary>
> +## Allow specified domain to parse environment to set up logging.
> +## </summary>
> +## <desc>
> +## <p>
> +## Many systemd services set up their logging by calling
> +## functions log_parse_environment() and log_open(), which
> +## source codes are available on
> +## https://github.com/systemd/systemd/blob/v227/src/basic/log.c
> +## </p>
> +## <p>
> +## Function log_parse_environment calls parse_proc_cmdline,
> +## which reads /proc/cmdline and calls detect_container,
> +## which reads /proc/1/environ.
> +## </p>
> +## <p>
> +## Function log_open may call log_open_syslog, which calls
> +## create_log_socket, which calls fd_inc_sndbuf, which does
> +## setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...), which
> +## requires CAP_NET_ADMIN. Nevertheless if the process does not
> +## have CAP_NET_ADMIN access, fd_inc_sndbuf falls back to using
> +## SO_SNDBUF option, which does not require any capability.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_parse_log_environment',`
> + # Allow to read /proc/1/environ
> + init_read_state($1)
> + # Allow to read /proc/cmdline
> + kernel_read_system_state($1)
> + # Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure
> + dontaudit $1 self:capability net_admin;
> +
> + logging_send_syslog_msg($1)
> +')
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 88924473f7aa..e95d54c4086c 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -120,7 +120,7 @@ kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
>
> init_stream_connect(systemd_cgroups_t)
>
> -logging_send_syslog_msg(systemd_cgroups_t)
> +systemd_parse_log_environment(systemd_cgroups_t)
>
> kernel_dgram_send(systemd_cgroups_t)
>
> @@ -133,7 +133,7 @@ kernel_read_kernel_sysctls(systemd_locale_t)
>
> files_read_etc_files(systemd_locale_t)
>
> -logging_send_syslog_msg(systemd_locale_t)
> +systemd_parse_log_environment(systemd_locale_t)
>
> seutil_read_file_contexts(systemd_locale_t)
>
> @@ -151,7 +151,7 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t)
>
> files_read_etc_files(systemd_hostnamed_t)
>
> -logging_send_syslog_msg(systemd_hostnamed_t)
> +systemd_parse_log_environment(systemd_hostnamed_t)
>
> seutil_read_file_contexts(systemd_hostnamed_t)
>
> @@ -210,7 +210,7 @@ init_read_state(systemd_logind_t)
>
> locallogin_read_state(systemd_logind_t)
>
> -logging_send_syslog_msg(systemd_logind_t)
> +systemd_parse_log_environment(systemd_logind_t)
>
> systemd_start_power_units(systemd_logind_t)
>
> @@ -232,7 +232,7 @@ optional_policy(`
> allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
> files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
>
> -logging_send_syslog_msg(systemd_sessions_t)
> +systemd_parse_log_environment(systemd_sessions_t)
>
> #########################################
> #
> @@ -258,10 +258,10 @@ auth_manage_login_records(systemd_tmpfiles_t)
> auth_relabel_login_records(systemd_tmpfiles_t)
> auth_setattr_login_records(systemd_tmpfiles_t)
>
> -logging_send_syslog_msg(systemd_tmpfiles_t)
> -
> seutil_read_file_contexts(systemd_tmpfiles_t)
>
> +systemd_parse_log_environment(systemd_tmpfiles_t)
> +
> tunable_policy(`systemd_tmpfiles_manage_all',`
> # systemd-tmpfiles can be configured to manage anything.
> # have a last-resort option for users to do this.
> --
> 2.7.0
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJWlBNjAAoJECV0jlU3+UdplNkMAI2k9kNPVRUaGHncgsFcl0aM
P+mgPfkU2ObLmExOKr42Zoh3Fm/Th8kNOulxW/5AFxhBRhk5kgDnYzH/fU9kpq2M
NoPINmWqNSyfVt/vK76OMEN4AUTlZZXm3a92xrBbwpNOZO0ZLX9FoEP9KnqSnIQZ
XaaOec52/7ECtrueWxhbA5DRF6MUYdcU/QWk71/IISaep8806dNl8moLvliPBIB3
9qjvo/Q8B7kicr4iY6aPbsHuUY0PPwisJWMmFpfT7uTaaNVX/49ppdO2ROf4xWGF
8md09NI1/HOlFRV9mFNv8sIDUoLO1/qBurWx7X3h02NQzW7qNXZW5FPQ0/VpgoGy
AUgjskKNXYYsOeevmZTFFcO0Sb13MVYHe1H/uO0jt20g2e6Hjb1hqYGAI7K/zuN2
cNzJLk1oNtqHOgmuSOero9cPBF1V4+uGYgprInhrPrTp+9fXQWQEkwwHY2KElC4z
SWnCFBIGH9BnLUcbeaQiRcb3lRAuwR3jH8uKGNY8fw==
=KZ5S
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2016-01-11 20:41 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-11 19:07 [refpolicy] [RFC PATCH] Add an interface for systemd services logging config Nicolas Iooss
2016-01-11 20:41 ` Dominick Grift [this message]
2016-01-11 22:06 ` Nicolas Iooss
2016-01-12 8:29 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160111204111.GA15886@x250 \
--to=dac.override@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.